CVE-2007-5731 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5731): Absolute path traversal vulnerability in Apache Jakarta Slide 2.1 and earlier allows remote authenticated users to read arbitrary files via a WebDAV write request that specifies an entity with a SYSTEM tag, a related issue to CVE-2007-5461.
This bug is related to bug #196066. Java, please advise.
(In reply to comment #1) > This bug is related to bug #196066. > > Java, please advise. > Well it's not stable so at least we don't have those machines affected. There is no new upstream release available or patches in the security reports so don't really know if we can do much.
The error is fixed in the SVN. I don't know their release cycle, is there a new RC close? $ svn log -r 590978 http://svn.apache.org/repos/asf/jakarta/slide ------------------------------------------------------------------------ r590978 | ozeigermann | 2007-11-01 13:27:06 +0100 (Thu, 01 Nov 2007) | 3 lines Quick-fix for security issue raised here www.milw0rm.com/exploits/4567 ------------------------------------------------------------------------
Petteri, can you include the patch in case they do not release?
(In reply to comment #4) > Petteri, can you include the patch in case they do not release? > That patch is for some server code. jakarta-slide-webdavclient is client side code so the patch doesn't have much to do with this package. As this seems to be a server issue I think this bug is INVALID for jakarta-slide-webdavclient. Please reopen if you don't agree.
ACK, you're right.